Revert some commits and update to latest upstream 1.32

.bazelrc

@@ -393,9 +393,9 @@ build:remote-ci --config=ci
 build:remote-ci --remote_download_minimal
 
 # Note this config is used by mobile CI also.
-build:ci --noshow_progress
-build:ci --noshow_loading_progress
-build:ci --test_output=errors
+common:ci --noshow_progress
+common:ci --noshow_loading_progress
+common:ci --test_output=errors
 
 # Fuzz builds
 
@@ -512,26 +512,28 @@ build:rbe-engflow --bes_upload_mode=fully_async
 build:rbe-engflow --nolegacy_important_outputs
 
 # RBE (Engflow Envoy)
-build:common-envoy-engflow --google_default_credentials=false
-build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
-build:common-envoy-engflow --grpc_keepalive_time=30s
-
-build:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com
-build:cache-envoy-engflow --remote_timeout=3600s
-build:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/
-build:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/
-build:bes-envoy-engflow --bes_timeout=3600s
-build:bes-envoy-engflow --bes_upload_mode=fully_async
-build:bes-envoy-engflow --nolegacy_important_outputs
-build:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
-build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
-build:rbe-envoy-engflow --jobs=200
-build:rbe-envoy-engflow --define=engflow_rbe=true
-
-build:remote-envoy-engflow --config=common-envoy-engflow
-build:remote-envoy-engflow --config=cache-envoy-engflow
-build:remote-envoy-engflow --config=bes-envoy-engflow
-build:remote-envoy-engflow --config=rbe-envoy-engflow
+common:common-envoy-engflow --google_default_credentials=false
+common:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
+common:common-envoy-engflow --grpc_keepalive_time=30s
+
+common:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com
+common:cache-envoy-engflow --remote_timeout=3600s
+common:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/
+common:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/
+common:bes-envoy-engflow --bes_timeout=3600s
+common:bes-envoy-engflow --bes_upload_mode=fully_async
+common:bes-envoy-engflow --nolegacy_important_outputs
+common:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
+common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
+common:rbe-envoy-engflow --jobs=200
+common:rbe-envoy-engflow --define=engflow_rbe=true
+
+common:remote-envoy-engflow --config=common-envoy-engflow
+common:remote-envoy-engflow --config=cache-envoy-engflow
+common:remote-envoy-engflow --config=rbe-envoy-engflow
+
+common:remote-cache-envoy-engflow --config=common-envoy-engflow
+common:remote-cache-envoy-engflow --config=cache-envoy-engflow
 
 #############################################################################
 # debug: Various Bazel debugging flags
@@ -555,6 +557,7 @@ common:debug --config=debug-sandbox
 common:debug --config=debug-coverage
 common:debug --config=debug-tests
 
+try-import %workspace%/repo.bazelrc
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
 try-import %workspace%/local_tsan.bazelrc

.github/workflows/_precheck_publish.yml

@@ -62,9 +62,7 @@ jobs:
           target-suffix: arm64
           arch: arm64
           bazel-extra: >-
-            --config=common-envoy-engflow
-            --config=cache-envoy-engflow
-            --config=bes-envoy-engflow
+            --config=remote-cache-envoy-engflow
           rbe: false
           runs-on: envoy-arm64-large
           timeout-minutes: 180

.github/workflows/_publish_build.yml

@@ -67,9 +67,7 @@ jobs:
           name: Release (arm64)
           arch: arm64
           bazel-extra: >-
-            --config=cache-envoy-engflow
-            --config=common-envoy-engflow
-            --config=bes-envoy-engflow
+            --config=remote-cache-envoy-engflow
           rbe: false
           runs-on: envoy-arm64-medium
 
@@ -86,9 +84,7 @@ jobs:
     uses: ./.github/workflows/_run.yml
     with:
       bazel-extra: >-
-        --config=cache-envoy-engflow
-        --config=common-envoy-engflow
-        --config=bes-envoy-engflow
+        --config=remote-cache-envoy-engflow
       downloads: |
         release.${{ matrix.arch }}: release/${{ matrix.arch }}/bin/
       target: ${{ matrix.target }}
@@ -163,6 +159,11 @@ jobs:
     uses: ./.github/workflows/_run.yml
     with:
       target: release.signed
+      bazel-extra: >-
+        --//distribution:x64-packages=//distribution:custom/x64/packages.x64.tar.gz
+        --//distribution:arm64-packages=//distribution:custom/arm64/packages.arm64.tar.gz
+        --//distribution:x64-release=//distribution:custom/x64/bin/release.tar.zst
+        --//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       downloads: |
         packages.arm64: envoy/arm64/

.github/workflows/_publish_verify.yml

@@ -132,7 +132,5 @@ jobs:
           target: verify_distro
           arch: arm64
           bazel-extra: >-
-            --config=cache-envoy-engflow
-            --config=common-envoy-engflow
-            --config=bes-envoy-engflow
+            --config=remote-cache-envoy-engflow
           runs-on: envoy-arm64-small

.github/workflows/_run.yml

@@ -286,6 +286,10 @@ jobs:
         BAZEL_BUILD_EXTRA_OPTIONS="--google_credentials=/build/${GCP_SERVICE_ACCOUNT_KEY_FILE} --config=remote-ci --config=rbe-google"
         echo "BAZEL_BUILD_EXTRA_OPTIONS=${BAZEL_BUILD_EXTRA_OPTIONS}" >> "$GITHUB_ENV"
 
+    - run: |
+        echo "${{ vars.ENVOY_CI_BAZELRC }}" > repo.bazelrc
+      if: ${{ vars.ENVOY_CI_BAZELRC }}
+
     - uses: envoyproxy/toolshed/gh-actions/github/[email protected]
       name: Run CI ${{ inputs.command }} ${{ inputs.target }}
       with:

.github/workflows/codeql-push.yml

@@ -8,9 +8,11 @@ on:
     paths:
     - include/**
     - source/common/**
-    branches-ignore:
-    - dependabot/**
+    branches:
+    - main
   pull_request:
+    branches:
+    - main
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}

.github/workflows/envoy-macos.yml

@@ -67,9 +67,7 @@ jobs:
             _BAZEL_BUILD_EXTRA_OPTIONS=(
               --remote_download_toplevel
               --flaky_test_attempts=2
-              --config=bes-envoy-engflow
-              --config=cache-envoy-engflow
-              --config=common-envoy-engflow
+              --config=remote-cache-envoy-engflow
               --config=ci)
             export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]}
 

.github/workflows/pr_notifier.yml

@@ -1,5 +1,7 @@
 on:
   pull_request:
+    branches:
+    - main
   workflow_dispatch:
   schedule:
   - cron: '0 5 * * 1,2,3,4,5'

.github/workflows/request.yml

@@ -24,13 +24,6 @@ concurrency:
 
 jobs:
   request:
-    # For branches this can be pinned to a specific version if required
-    # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read
-    uses: envoyproxy/envoy/.github/workflows/_request.yml@main
-    if: >-
-      ${{ github.repository == 'envoyproxy/envoy'
-          || (vars.ENVOY_CI && github.event_name != 'schedule')
-          || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }}
     permissions:
       actions: read
       contents: read
@@ -41,3 +34,15 @@ jobs:
       # these are required to start checks
       app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
       app-id: ${{ secrets.ENVOY_CI_APP_ID }}
+      lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }}
+      lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }}
+      gcs-cache-key: ${{ secrets.GCS_CACHE_WRITE_KEY }}
+    with:
+      gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }}
+    # For branches this can be pinned to a specific version if required
+    # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read
+    uses: envoyproxy/envoy/.github/workflows/_request.yml@main
+    if: >-
+      ${{ github.repository == 'envoyproxy/envoy'
+          || (vars.ENVOY_CI && github.event_name != 'schedule')
+          || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }}

VERSION.txt

@@ -1 +1 @@
-1.32.1-dev
+1.32.3-dev

api/bazel/repository_locations.bzl

@@ -179,12 +179,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "envoy_toolshed",
         project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI",
         project_url = "https://github.com/envoyproxy/toolshed",
-        version = "0.1.12",
-        sha256 = "cbd919462d3301ffcd83bcbc3763914201e08ac97d9237cd75219725760321d0",
+        version = "0.1.16",
+        sha256 = "06939757b00b318e89996ca3d4d2468ac2da1ff48a7b2cd9146b2054c3ff4769",
         strip_prefix = "toolshed-bazel-v{version}/bazel",
         urls = ["https://github.com/envoyproxy/toolshed/archive/bazel-v{version}.tar.gz"],
         use_category = ["build"],
-        release_date = "2024-09-08",
+        release_date = "2024-11-18",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/envoyproxy/envoy/blob/bazel-v{version}/LICENSE",

api/envoy/config/cluster/v3/cluster.proto

@@ -965,7 +965,7 @@ message Cluster {
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
   // and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
   // this setting is ignored.
-  google.protobuf.Duration dns_jitter = 58;
+  google.protobuf.Duration dns_jitter = 58 [(validate.rules).duration = {gte {}}];
 
   // If the DNS failure refresh rate is specified and the cluster type is either
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,

bazel/c-ares.patch

@@ -0,0 +1,20 @@
+# Patch for c-ares CVE-2024-25629
+diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
+index d65ac1fcf8..018f55e8b2 100644
+--- a/src/lib/ares__read_line.c
++++ b/src/lib/ares__read_line.c
+@@ -59,6 +59,14 @@ ares_status_t ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+     }
+     len = offset + ares_strlen(*buf + offset);
++
++    /* Probably means there was an embedded NULL as the first character in
++     * the line, throw away line */
++    if (len == 0) {
++      offset = 0;
++      continue;
++    }
++
+     if ((*buf)[len - 1] == '\n') {
+       (*buf)[len - 1] = 0;
+       break;

bazel/repositories.bzl

@@ -305,6 +305,8 @@ def _com_github_c_ares_c_ares():
     external_http_archive(
         name = "com_github_c_ares_c_ares",
         build_file_content = BUILD_ALL_CONTENT,
+        patch_args = ["-p1"],
+        patches = ["@envoy//bazel:c-ares.patch"],
     )
 
 def _com_github_cyan4973_xxhash():

changelogs/1.29.10.yaml

@@ -0,0 +1,6 @@
+date: October 29, 2024
+
+bug_fixes:
+- area: tracing
+  change: |
+    Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.

changelogs/1.29.11.yaml

@@ -0,0 +1,15 @@
+date: December 8, 2024
+
+minor_behavior_changes:
+- area: dns
+  change: |
+    Patched c-ares to address CVE-2024-25629.
+
+bug_fixes:
+- area: access_log
+  change: |
+    Relaxed the restriction on SNI logging to allow the ``_`` character, even if
+    ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
+- area: validation/tools
+  change: |
+    Add back missing extension for ``schema_validator_tool``.

changelogs/1.30.7.yaml

@@ -0,0 +1,6 @@
+date: October 29, 2024
+
+bug_fixes:
+- area: tracing
+  change: |
+    Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.

changelogs/1.30.8.yaml

@@ -0,0 +1,18 @@
+date: December 8, 2024
+
+minor_behavior_changes:
+- area: dns
+  change: |
+    Patched c-ares to address CVE-2024-25629.
+
+bug_fixes:
+- area: access_log
+  change: |
+    Relaxed the restriction on SNI logging to allow the ``_`` character, even if
+    ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
+- area: tracers
+  change: |
+    Avoid possible overflow when setting span attributes in Dynatrace sampler.
+- area: validation/tools
+  change: |
+    Add back missing extension for ``schema_validator_tool``.

changelogs/1.31.3.yaml

@@ -0,0 +1,6 @@
+date: October 29, 2024
+
+bug_fixes:
+- area: tracing
+  change: |
+    Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.

changelogs/1.31.4.yaml

@@ -0,0 +1,18 @@
+date: December 8, 2024
+
+minor_behavior_changes:
+- area: dns
+  change: |
+    Patched c-ares to address CVE-2024-25629.
+
+bug_fixes:
+- area: access_log
+  change: |
+    Relaxed the restriction on SNI logging to allow the ``_`` character, even if
+    ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
+- area: tracers
+  change: |
+    Avoid possible overflow when setting span attributes in Dynatrace sampler.
+- area: validation/tools
+  change: |
+    Add back missing extension for ``schema_validator_tool``.

changelogs/1.32.1.yaml

@@ -0,0 +1,6 @@
+date: October 29, 2024
+
+bug_fixes:
+- area: release
+  change: |
+    Container updates.

changelogs/1.32.2.yaml

@@ -0,0 +1,27 @@
+date: December 8, 2024
+
+minor_behavior_changes:
+- area: dns
+  change: |
+    Patched c-ares to address CVE-2024-25629.
+
+bug_fixes:
+- area: access_log
+  change: |
+    Relaxed the restriction on SNI logging to allow the ``_`` character, even if
+    ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
+- area: original_ip_detection
+  change: |
+    Reverted :ref:`custom header
+    <envoy_v3_api_msg_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig>` extension to its
+    original behavior by disabling automatic XFF header appending that was inadvertently introduced in PR #31831.
+- area: tracers
+  change: |
+    Avoid possible overflow when setting span attributes in Dynatrace sampler.
+- area: validation/tools
+  change: |
+    Add back missing extension for ``schema_validator_tool``.
+- area: DNS
+  change: |
+    Fixed bug where setting ``dns_jitter <envoy_v3_api_field_config.cluster.v3.Cluster.dns_jitter>`` to large values caused Envoy Bug
+    to fire.

ci/Dockerfile-envoy

@@ -59,7 +59,7 @@ COPY --chown=0:0 --chmod=755 \
 
 
 # STAGE: envoy-distroless
-FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:e130c09889f3b6c05dacd52d2612c30811e04eefe3280a6659037cfdd018de6c AS envoy-distroless
+FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:2a803cc873dc1a69a33087ee10c75755367dd2c259219893504680480ad563f0 AS envoy-distroless
 EXPOSE 10000
 ENTRYPOINT ["/usr/local/bin/envoy"]
 CMD ["-c", "/etc/envoy/envoy.yaml"]

ci/do_ci.sh

@@ -935,7 +935,9 @@ case $CI_TARGET in
     release.signed)
         echo "Signing binary packages..."
         setup_clang_toolchain
-        bazel build "${BAZEL_BUILD_OPTIONS[@]}" //distribution:signed
+        bazel build \
+              "${BAZEL_BUILD_OPTIONS[@]}" \
+              //distribution:signed
         cp -a bazel-bin/distribution/release.signed.tar.zst "${BUILD_DIR}/envoy/"
         ;;